The FreeIPA team would like to announce FreeIPA 4.9.2 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.

== Bug fixes

FreeIPA 4.9.2 is a stabilization release for the features delivered as a part of 4.9 version series.

There are more than 20 bug-fixes since FreeIPA 4.9.1 release. Details of the bug-fixes can be seen in the list of resolved tickets below.

== Upgrading

Upgrade instructions are available on Upgrade page.

== Feedback

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...) or #freeipa channel on Freenode.

== Resolved tickets

* https://pagure.io/freeipa/issue/6739%5B#6739] Cannot login to replica's WebUI * https://pagure.io/freeipa/issue/8404%5B#8404] Detect and fail if not enough memory is available for installation * https://pagure.io/freeipa/issue/8452%5B#8452] update samba configuration on IPA master to explicitly use 'server role' setting * https://pagure.io/freeipa/issue/8506%5B#8506] Nightly failure in ipa-server-install --uninstall: org.freedesktop.DBus.Error.NoReply * https://pagure.io/freeipa/issue/8533%5B#8533] Nightly failure in ipa-replica-install configuring renewals: DBusException: org.freedesktop.DBus.Error.NoReply * https://pagure.io/freeipa/issue/8550%5B#8550] (https://bugzilla.redhat.com/show_bug.cgi?id=1902173%5Brhbz#1902173]) Uninstallation of server with KRA diplays error but proceeds successfully (unable to access security domain) * https://pagure.io/freeipa/issue/8554%5B#8554] (https://bugzilla.redhat.com/show_bug.cgi?id=1891056%5Brhbz#1891056]) ipa-kdb: support subordinate/superior UPN suffixes * https://pagure.io/freeipa/issue/8588%5B#8588] The 'ipactl status' command exit code does not fail on a partial error * https://pagure.io/freeipa/issue/8630%5B#8630] (https://bugzilla.redhat.com/show_bug.cgi?id=1909876%5Brhbz#1909876]) Do not resolve user/group UID/GID in the service constructors * https://pagure.io/freeipa/issue/8636%5B#8636] (https://bugzilla.redhat.com/show_bug.cgi?id=1923900%5Brhbz#1923900]) Samba on IdM member failure * https://pagure.io/freeipa/issue/8647%5B#8647] (https://bugzilla.redhat.com/show_bug.cgi?id=1912556%5Brhbz#1912556]) Incorrect DNSKEY created when DNSSEC enabled for zone * https://pagure.io/freeipa/issue/8658%5B#8658] (https://bugzilla.redhat.com/show_bug.cgi?id=1924501%5Brhbz#1924501]) Value stored to 'krberr' is never read in ipa-rmkeytab.c * https://pagure.io/freeipa/issue/8669%5B#8669] Reduce difference between upstream and downstream releases * https://pagure.io/freeipa/issue/8675%5B#8675] Update failed: NSS is built without support of the legacy database(DBM) * https://pagure.io/freeipa/issue/8683%5B#8683] [ipatests] `test_ipa_dns_systemrecords_check` and `test_ipa_healthcheck_no_errors` fail in Azure Pipelines * https://pagure.io/freeipa/issue/8685%5B#8685] KDC cert has no SAN DNSname * https://pagure.io/freeipa/issue/8686%5B#8686] (https://bugzilla.redhat.com/show_bug.cgi?id=1922955%5Brhbz#1922955]) Resubmitting KDC cert fails with internal server error * https://pagure.io/freeipa/issue/8689%5B#8689] Add centos platform module * https://pagure.io/freeipa/issue/8690%5B#8690] Add a tool to control interactive programs on remote hosts in IPA tests * https://pagure.io/freeipa/issue/8699%5B#8699] (https://bugzilla.redhat.com/show_bug.cgi?id=1926699%5Brhbz#1926699]) avc denial for gpg-agent with systemd-run * https://pagure.io/freeipa/issue/8704%5B#8704] (https://bugzilla.redhat.com/show_bug.cgi?id=1926910%5Brhbz#1926910]) ipa cert-remove-hold returns an incorrect error message * https://pagure.io/freeipa/issue/8712%5B#8712] Support new baseURL config option for ACME

== Detailed changelog since 4.9.1

=== Alexander Bokovoy (14)

* Back to git commits https://pagure.io/freeipa/c/811d130c66880208a244741b90a5e6de2429004a%5Bcommi...] * Become IPA 4.9.2 https://pagure.io/freeipa/c/34600a0ecac3ad3fbe7b7b5767c3a4c1a455dc45%5Bcommi...] * po: refresh translations to remove outdated strings https://pagure.io/freeipa/c/66ffc9a612e932578b609061a5f1b38fc1c46c50%5Bcommi...] * po: update translations template https://pagure.io/freeipa/c/d1313a595d63ced25b2df029029ef501e88ea596%5Bcommi...] * test_installutils: run gpg-agent under a specific SELinux context https://pagure.io/freeipa/c/7ca2797eaca963fe94f7396353569f7f8ed6d09d%5Bcommi...] https://pagure.io/freeipa/issue/8699%5B#8699] * Force-update translation after FreeIPA to IPA change: po/fr.po https://pagure.io/freeipa/c/fc9652107e4424f0567bc5a010cad15047db7212%5Bcommi...] * Force-update translation after FreeIPA to IPA change: po/es.po https://pagure.io/freeipa/c/12d92fe517504ac9bec2d76bc15e7303af2f89e5%5Bcommi...] * Force-update translation po/id.po https://pagure.io/freeipa/c/e77d68900a1e8d0476670b0d59b13cea6e1b7f80%5Bcommi...] * Force-update translation po/fr.po https://pagure.io/freeipa/c/cf054fc169879fcd3987b97ccec163402c706392%5Bcommi...] * Force-update translation po/es.po https://pagure.io/freeipa/c/d8398815b10c53e678d96ea31afc9a0eb671f57b%5Bcommi...] * Force-update translation po/de.po https://pagure.io/freeipa/c/7d00ad4b767eb17e218e03544aa53881c9333330%5Bcommi...] * client: synchronize ignored return codes with ipa-rmkeytab https://pagure.io/freeipa/c/5a1ad476e04859e68809435a8098beef1d38c76d%5Bcommi...] https://pagure.io/freeipa/issue/8658%5B#8658] * ipa-sam: return NetBIOS domain name instead of DNS one https://pagure.io/freeipa/c/8a4cf2187a6298a46b52ba12ff04648b73f8dd56%5Bcommi...] https://pagure.io/freeipa/issue/8636%5B#8636] * Back to git commits https://pagure.io/freeipa/c/9690659ddf57e32a9255d8eed8d27b3ffa8a90cf%5Bcommi...]

=== Antonio Torres (4)

* ipatests: test addition of invalid sudo command https://pagure.io/freeipa/c/029daa5ffad5ee5f7be9c3661d88c98fe20398cb%5Bcommi...] * sudocmd: ensure command doesn't contain trailing dot before adding it https://pagure.io/freeipa/c/602a4fa321560c69407d1c6d0a04f190a5350038%5Bcommi...] * WebUI: change FreeIPA naming to IPA in About dialog https://pagure.io/freeipa/c/4f63dc994522243fde1cb932f6a8b5a26a171933%5Bcommi...] https://pagure.io/freeipa/issue/8669%5B#8669] * Update samba configuration on IPA master to explicitly use 'server role' setting https://pagure.io/freeipa/c/2b64a4e8ad5563030650f6d293d4b0537d72cd2c%5Bcommi...] https://pagure.io/freeipa/issue/8452%5B#8452]

=== Christian Heimes (4)

* configure: ipaplatform falls back to ID_LIKE https://pagure.io/freeipa/c/55180f6e9141bca391a7e2c9d9727948624c307f%5Bcommi...] https://pagure.io/freeipa/issue/8689%5B#8689] * Don't install csrgen extra dependencies https://pagure.io/freeipa/c/de3510211537f116a097d1212d2586f4b0726467%5Bcommi...] https://pagure.io/freeipa/issue/8669%5B#8669] * Ensure that KDC cert has SAN DNS entry https://pagure.io/freeipa/c/5ab290a048d34b03821716b1606f9a33f62964d9%5Bcommi...] https://pagure.io/freeipa/issue/8685%5B#8685] * Fix cert_request for KDC cert https://pagure.io/freeipa/c/2c48897ed1700725d3cd07a4a106e40f62d76c47%5Bcommi...] https://pagure.io/freeipa/issue/6739%5B#6739], https://pagure.io/freeipa/issue/8686%5B#8686]

=== Florence Blanc-Renaud (8)

* ipatests: update expected error message https://pagure.io/freeipa/c/9854c399da83a30259ccec9cf9277ffd97f7cd67%5Bcommi...] https://pagure.io/freeipa/issue/8704%5B#8704] * xmlrpc tests: add a test for cert-remove-hold https://pagure.io/freeipa/c/55c7e2121ea78eec102560d176ccb2c74146caf7%5Bcommi...] https://pagure.io/freeipa/issue/8704%5B#8704] * cert plugin: propagate the error for non-existent cert https://pagure.io/freeipa/c/45d7d15c1186bc563393ae0bf131ccf94b1d12c4%5Bcommi...] https://pagure.io/freeipa/issue/8704%5B#8704] * ipatests: ipactl status now exits with 3 when a service is stopped https://pagure.io/freeipa/c/8d30629801a88a8f03c94f2274ed93a1ff0a38be%5Bcommi...] https://pagure.io/freeipa/issue/8588%5B#8588] * ipatests: fix ipahealthcheck fixture _modify_permission https://pagure.io/freeipa/c/b784e1f8d4e393e31616430f74ccc3d158418619%5Bcommi...] * OpenDNSSEC: fix timezone in key creation date https://pagure.io/freeipa/c/2a51892ab9688b6bc5282098a426003932462549%5Bcommi...] * ipatests: add a test for ZSK/KSK keytype in DNSKEY record https://pagure.io/freeipa/c/dd21d068cb4500b0d8a8af14b0371f95cc40c974%5Bcommi...] https://pagure.io/freeipa/issue/8647%5B#8647] * dnssec: fix the key type with OpenDNSSEC 2.1 https://pagure.io/freeipa/c/44762369fb05b67855a8dc81d647c8880d642902%5Bcommi...] https://pagure.io/freeipa/issue/8647%5B#8647]

=== Mohammad Rizwan (1)

* ipatests: Test if server setup without dns uninstall properly https://pagure.io/freeipa/c/85674f16a18a6d4917dcf56330dc122902b53475%5Bcommi...] https://pagure.io/freeipa/issue/8630%5B#8630]

=== Rob Crittenden (20)

* Remove the option stop_certmonger from stop_tracking_* https://pagure.io/freeipa/c/9872610f7df6576813715f5de239957042ca2c9d%5Bcommi...] https://pagure.io/freeipa/issue/8506%5B#8506], https://pagure.io/freeipa/issue/8533%5B#8533] * Add some logging around initial ACME deployment https://pagure.io/freeipa/c/6526ab48a36b068de1970a2685dcedcf4b278bd3%5Bcommi...] https://pagure.io/freeipa/issue/8712%5B#8712] * Add versions to the ACME config templates and update on upgrade https://pagure.io/freeipa/c/31061c60af065d7251a7aaf6d5c93e86434d12f2%5Bcommi...] https://pagure.io/freeipa/issue/8712%5B#8712] * Set the ACME baseURL in order to pin a client to a single IPA server https://pagure.io/freeipa/c/a16dc59447bceab9df7d0597e81af2f1a525ce4c%5Bcommi...] https://pagure.io/freeipa/issue/8712%5B#8712] * Add RHEL 9 UI branding patch reference https://pagure.io/freeipa/c/dffe69573e1ee5a14af12d83c9c86084cfa3a58d%5Bcommi...] https://pagure.io/freeipa/issue/8669%5B#8669] * Force-update translation after FreeIPA to IPA change: po/ipa.pot https://pagure.io/freeipa/c/936f98e93e43f1e30d3109d37009654db349a241%5Bcommi...] * Remove references to rjsmin in UI compile.sh https://pagure.io/freeipa/c/1478db894844ca4527e0017a7204d4d6f5695752%5Bcommi...] https://pagure.io/freeipa/issue/8669%5B#8669] * Remove support for csrgen https://pagure.io/freeipa/c/e35bec9a5214a836d938eae6c577a4f33fe5e4f9%5Bcommi...] https://pagure.io/freeipa/issue/8669%5B#8669] * Change FreeIPA references to IPA and Identity Management https://pagure.io/freeipa/c/f05ee29d10f2be294d707bd34bfc8399c06b63c5%5Bcommi...] https://pagure.io/freeipa/issue/8669%5B#8669] * ipatests: Handle non-zero return code in test_ipactl_scenario_check https://pagure.io/freeipa/c/00226adaa68935fbc1d85508eadafa420027edb5%5Bcommi...] https://pagure.io/freeipa/issue/8550%5B#8550] * Add exit status to the ipactl man page https://pagure.io/freeipa/c/302f9377e5c760bcf38be2b0503915ccadef8b67%5Bcommi...] https://pagure.io/freeipa/issue/8550%5B#8550] * Ensure IPA is running (ideally) before uninstalling the KRA https://pagure.io/freeipa/c/87ede26cc2bcbe543cb970a5e55cf1901791a100%5Bcommi...] https://pagure.io/freeipa/issue/8550%5B#8550] * ipactl: support script status 3, program is not running https://pagure.io/freeipa/c/ddb5414d56f57fdd18ad66fbc6a53410725dd9cd%5Bcommi...] https://pagure.io/freeipa/issue/8588%5B#8588] * Use the new API introduced in PKI 10.8 https://pagure.io/freeipa/c/4d26ce5061c5b7f9383286a108fc48b19b5bc65a%5Bcommi...] * Change CA profile migration message from info to debug https://pagure.io/freeipa/c/b99bc2d8b1e5226f61a7c980cfb7576dac222466%5Bcommi...] * Only build the UI with uglifyjs on RHEL 8 https://pagure.io/freeipa/c/5fb0cc43eab329e8cb0020ca96f70a05fa9bb4bd%5Bcommi...] https://pagure.io/freeipa/issue/8669%5B#8669] * Provide more detailed logging around memory detection https://pagure.io/freeipa/c/6eff5b9527d5d187922eed6f569d3e63d67e094d%5Bcommi...] https://pagure.io/freeipa/issue/8404%5B#8404] * ipatests: Update NSSDatabase DBM test on non-DBM-capable installs https://pagure.io/freeipa/c/7f1849e74a7c81213ec658058aec97033c84e038%5Bcommi...] https://pagure.io/freeipa/issue/8675%5B#8675] * Ignore database errors when trying to extract ipaCert on upgrade https://pagure.io/freeipa/c/348d4eef6f974c75cb546fc690bb3a20a789de28%5Bcommi...] https://pagure.io/freeipa/issue/8675%5B#8675] * Report the NSS database directory if it cannot be opened https://pagure.io/freeipa/c/b71c0c678430c38cbd22663cbf48229a23f19c8e%5Bcommi...] https://pagure.io/freeipa/issue/8675%5B#8675]

=== Stanislav Levin (3)

* rpm-spec: Require crypto-policies-scripts https://pagure.io/freeipa/c/0b11a7ce5542fae4d3d2ab0584d3dfe0f67ef617%5Bcommi...] * ipatests: Handle AAAA records in test_ipa_dns_systemrecords_check https://pagure.io/freeipa/c/151fa5040af0f044fe7bf0154c2dcfc58506a499%5Bcommi...] https://pagure.io/freeipa/issue/8683%5B#8683] * Azure: Populate containers with self-AAAA records https://pagure.io/freeipa/c/63b14839aff23db7977decbeb742949bd05a8219%5Bcommi...] https://pagure.io/freeipa/issue/8683%5B#8683]

=== Sergey Orlov (5)

* ipatests: use pexpect to control inetractive session of ipa-adtrust-install https://pagure.io/freeipa/c/34d72d16ee3ac4e3979eed5be7ddf31997a485b8%5Bcommi...] https://pagure.io/freeipa/issue/8690%5B#8690] * ipatests: use pexpect to invoke ktutil https://pagure.io/freeipa/c/1c15447e1345a3c93932e70dea1177f6a42fb2d4%5Bcommi...] https://pagure.io/freeipa/issue/8690%5B#8690] * ipatests: add a tests-oriented wrapper for pexpect module https://pagure.io/freeipa/c/29377901f7bc74baceda1bf42617dd69dacf10a2%5Bcommi...] https://pagure.io/freeipa/issue/8690%5B#8690] * ipatests: rewrite test for requests routing to subordinate suffixes https://pagure.io/freeipa/c/0d9f988f5eb5f07965582b84f1b3ac812125b63f%5Bcommi...] https://pagure.io/freeipa/issue/8554%5B#8554] * fix collecting log files which are symlinks https://pagure.io/freeipa/c/5517aa691805cccfa4d19a28a6dbf3319845c4a6%5Bcommi...]

=== Thorsten Scherf (1)

* man: fix ipa-client-samba.1 typos https://pagure.io/freeipa/c/b290bc12b25938db5e29b7742989a1a0c99f15f4%5Bcommi...]